Zero-Days, Breaches and the Supply Chain: The Five Biggest Cyberattack Stories in the Headlines

At Tanium, we know there are never enough hours in the day for our customers to keep up with breaking cybersecurity news. And often, reporting by major TV networks can lack vital detail you need as industry professionals. That’s why we’ve rounded up our top stories of the week to share with you.

Here we go:

Codecov supply chain attack hits hundreds

Reuters’ Joseph Menn and Raphael Satter have an important update to the Codecov breach revealed by the company last week. Investigators told the newswire that attackers compromised hundreds of customers of the software auditing company. It’s now being viewed as a supply chain attack with echoes of the sophisticated SolarWinds operation.

Attackers stole internal credentials at the firm to compromise a crucial Bash Uploader script used by customers. By modifying this script, they were able to steal credentials, tokens and keys from those organizations’ developer environments.

Codecov has more than 29,000 customers, including some of the world’s biggest tech companies.

Investigators told Reuters that by targeting tech service providers, the threat actors could access thousands more restricted systems. The era of the supply chain attack is truly upon us.

Threat actors targeted insurer to steal customer data for months

Over at TechCrunch, Zach Whittaker was first to get hold of a data breach notice filed with the California Attorney General’s Office by insurance giant Geico.

Geico admits that information “acquired elsewhere” was used by fraudsters to access customer driver’s license information through its website. The firm warned that such information could be subsequently used to apply for fraudulent unemployment benefits in the victims’ names.

As Whittaker explains, using previously breached information to pose as legitimate insurance customers is a well-worn tactic used by fraudsters. This incident speaks to the availability of such information and the difficulty firms have in telling real from fake users.

It was also reported that scammers used the ploy undetected from January 21 to March 1. The number of affected customers has not been disclosed. Organizations need to cut off the source of fraud by improving corporate data protection — starting at the endpoint.

Online extortionists demanded $40M from Florida school district

Scott Travis at the South Florida Sun Sentinel has seen a transcript of what’s claimed to be a two-week online negotiation between ransomware actors and the Broward County school district.

In it, the Conti group demand a $40 million ransom, later reduced to $10 million, for the school district to regain access to its network and one terabyte (TB) of stolen data. The attackers claimed to have financial information, contracts, Social Security numbers, addresses, dates of birth, and other information about students and teachers.

As Travis explains, children’s data is particularly valuable on the cybercrime underground as fraudsters often use it to apply for credit without the victim being aware.

The targeting of schools and other taxpayer-funded organizations by ransomware actors is nothing new. If anything, the incident should be a reminder to practice effective cyber hygiene to minimize opportunities for such attacks.

Intelligence agency warns of mass social media plot to recruit spies

Gordon Corera at the BBC has been speaking to British intelligence agency MI5, which warns that hostile nations are trying to recruit government employees and other individuals via social media. The broadcaster claims that more than 10,000 targets have already been approached over the past five years on LinkedIn.

Malicious profiles are being used at “industrial scale,” claims the head of MI5, Ken McCallum. Corera writes that targets, who could also work in academia or critical infrastructure sectors, are often approached for business and travel opportunities abroad where nations attempt to recruit them.

LinkedIn has welcomed a new government scheme to raise awareness of such threats.

It’s another sign that humans remain one of the weakest links in the security chain. That’s why any effective cyber strategy must include training and awareness alongside technology and process controls.

Pulse Secure customers urged to mitigate critical bug

Another week, another serious software vulnerability to address. This time, researchers have discovered multiple APT groups exploiting a zero-day bug in the Pulse Secure VPN, writes Dan Goodin at ArsTechnica.

The authentication bypass vulnerability in Pulse Connect Secure allows attackers to circumvent multi- and single-factor authentication in the product to install webshells and perform cyber-espionage activities. In some cases, the vulnerability is being used alongside CVEs in Pulse Secure from 2019 and 2020.

US defense, government and financial organizations could be at risk, but victims may also stretch around the globe. At least one state-backed group has been identified.

Once again, the incident reminds us how important it is for organizations to gain comprehensive visibility into their IT assets. It’s critical to have the vulnerability and configuration management tools to act quickly when vendors identify problems.

---

Learn how Tanium can give your organization real-time visibility, comprehensive control and the ability to quickly respond to whatever comes next.